Operational Security

What is Risk?

Risk can be an overused term, but what does it mean? Let’s break it down.

Risk is a function of Threat (who/what) x Vulnerability (how) x Consequence (how much)

Risk is the result of a threat that exploits a vulnerability and causes damage.

The less risk, the better you sleep at night. Security is a moving target so it is impossible to be 100% secure, but it is possible to reduce your risk to the smallest acceptable level.

Threat is the "who" or "what" is capable of causing harm. Human threats may be a single person, a group, a competitor, or a nation state. Other threats may be a hurricane or a weather event.

Vulnerability is the "how" part of this equation and is a weakness (in terms of physical, technical, organizational, and cultural aspects) that can be exploited by an adversary to adversely affect (cause harm or damage to) that system.

Consequence is the "how much" damage that occurs and what it will cost you. This cost could be money, injuries, intellectual property, customers, property, reputation, or loss of life.

Changes in your protection and risk result in reducing your overall vulnerability, the one element of risk you can easily control.

Operational Security is the merging of critical components to ensure the continuity of operations and business. It includes:

  • Cyber Security
  • Physical Security
  • Personnel Security
  • Control/Process Security
  • Policies, Procedures, and Compliance
  • Foundational Security Decisions

Operational security offers the ability to better mitigate risk by addressing interdependencies, applying layers of security, and reducing vulnerabilities across the site as a whole.

Assessing operational security, we rely mainly on the values of the organization and map corporate objectives and business continuity to risk, mitigating as much as possible through a comprehensive view of operational security. Operational security should facilitate operations, rather than hinder them.

Resilience is the new operational objective. Be strong enough to prevent any damage and live through an incident.

  • Resilience includes prevention, protection, resistance, survivability, and recoverability.
  • Resilience is necessary because there is no absolute security, even with a defense-in-depth approach.
  • Consequence analysis is expanding and now includes cyber, physical, and personnel risks from intended or unintended events.
  • All of this makes resilience the goal!
Solutions for Energy Systems' Adversities